You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2021/07/30 00:08:00 UTC

[jira] [Commented] (HADOOP-17820) Remove dependency on jdom

    [ https://issues.apache.org/jira/browse/HADOOP-17820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390206#comment-17390206 ] 

Siyao Meng commented on HADOOP-17820:
-------------------------------------

After some digging, jdom 1 and 2 are still required as transitive dependencies:

{code:title=mvn dependency}
[INFO] +- com.aliyun.oss:aliyun-sdk-oss:jar:3.4.1:compile
[INFO] |  +- org.jdom:jdom:jar:1.1:compile
{code}

{code:title=mvn dependency}
[INFO] +- org.apache.maven.plugins:maven-shade-plugin:jar:3.2.1:provided
...
[INFO] |  +- org.jdom:jdom2:jar:2.0.6:provided
{code}

> Remove dependency on jdom
> -------------------------
>
>                 Key: HADOOP-17820
>                 URL: https://issues.apache.org/jira/browse/HADOOP-17820
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Siyao Meng
>            Assignee: Siyao Meng
>            Priority: Major
>
> It doesn't seem that jdom is referenced anywhere in the code base now, yet it exists in the distribution.
> {code}
> $ find . -name "*jdom*.jar"
> ./hadoop-3.4.0-SNAPSHOT/share/hadoop/tools/lib/jdom-1.1.jar
> {code}
> There is recently [CVE-2021-33813|https://github.com/advisories/GHSA-2363-cqg2-863c] issued for jdom. Let's remove the binary from the dist if not useful.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org